On Tue, Jan 17, 2017 at 5:05 AM, Andreas Walz <andreas.w...@hs-offenburg.de> wrote: > I fully support not to add new options / complexity to TLS "just because > they are > there" and I'm not at all doubting the rationale behind this. > > Our use case is legacy industrial communication over extremely lean media > (low > bandwidth, high error rate, etc.). We are investigating all directions of > conceivable > optimizations one could apply to DTLS (both configuration and > standardization) in > order to minimize what needs to be sent over the wire (or the ether). That's > why > I expressed interest in a number of old and not so old concepts and drafts > addressing > this. > > ChaCha20+Poly1305 seems to have some benefits over AES (e.g. performance in > pure > software). Currently, the only AEAD mode in (D)TLS I'm aware of that allows > authentication tags shorter than 16 bytes is CCM_8. I guess that there are > other > scenarios -- apart from ours -- where an efficient software-only cipher > (i.e. not > AES-CCM) is desirable but a full-length tag is a bad trade-off between costs > and > benefits. > > I don't have strong intentions to advocate to define yet another cipher > suite for > TLS. I'd rather get a sense of other WG members' interest in that specific > direction. > If there is consensus that there is no point in having ChaCha20+Poly1305 > with truncated > tags I'm fine with that. Maybe this would just rebut my assumption that > there could > be broader use for that.
Have you read the Poly1305 paper and the TLS spec carefully? The effect of tag truncation is far worse than it would be for other suits, although the Chacha20-Poly1305 uses a different r each time to ameliorate this if I understand correctly. Careful analysis is required. > > Cheers, > Andi Walz > > > >>>> Hanno Böck <ha...@hboeck.de> 01/17/17 1:10 PM >>> > On Tue, 17 Jan 2017 13:03:35 +0100 > "Andreas Walz" <andreas.w...@hs-offenburg.de> wrote: > >> I know there is some comprehensible reluctance against bloating the >> TLS ecosystem with even more cipher suites, but still ... have there >> been considerations / discussions on adding ChaCha20+Poly1305 cipher >> suites with truncted authentication tags for (D)TLS? > > The usual question to answer is: why? > > The general reluctance to add new ciphersuites "just because they are > there" is imho very reasonable and in the past TLS got bloated in > complexity far too much because of that. > > If you want a new ciphersuite you should have some good arguments why > they offer something that the current ones don't. Ideally these should > be specific. (Aka "Someone could need that for hypothetical situation > XYZ" is not very compelling. "I am developing a widely used product > where this would immensely help for Reasons xyz" is better.) > > -- > Hanno Böck > https://hboeck.de/ > > mail/jabber: ha...@hboeck.de > GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > -- "Man is born free, but everywhere he is in chains". --Rousseau. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
